HN
Today

RCE via ND6 Router Advertisements in FreeBSD

A critical remote code execution vulnerability has been discovered in FreeBSD's IPv6 router advertisement processing. This flaw allows attackers on the same network segment to execute arbitrary commands by exploiting a lack of input validation in rtsold and resolvconf. Hacker News is buzzing about the potential impact on unpatched embedded FreeBSD systems and the surprisingly old-school shell scripting vulnerability at its core.

19
Score
13
Comments
#2
Highest Rank
11h
on Front Page
First Seen
Dec 18, 9:00 AM
Last Seen
Dec 18, 7:00 PM
Rank Over Time
2456751012141416

The Lowdown

A significant security advisory from The FreeBSD Project reveals a remote code execution (RCE) vulnerability, CVE-2025-14558, affecting all supported versions of the operating system. This critical flaw stems from improper input validation in IPv6 network configuration tools, potentially allowing malicious actors to compromise systems within the same local network.

  • The vulnerability exists in rtsold(8) and rtsol(8), programs responsible for processing IPv6 Router Advertisements (RAs) for stateless address autoconfiguration (SLAAC).
  • Specifically, these programs fail to validate the "domain search list options" within RAs, passing them directly to resolvconf(8).
  • resolvconf(8), a shell script, then executes these unvalidated options due to a lack of proper quoting, leading to shell command injection.
  • Impact is limited to systems on the same network segment, as router advertisements are not routable across different networks.
  • All supported FreeBSD versions are affected, with no available workaround other than disabling IPv6 or not accepting RAs.
  • The fix involves upgrading to patched versions or applying source code patches, with specific instructions provided for freebsd-update and manual compilation.

This advisory highlights the persistent challenges in network protocol security and the dangers of unquoted variables in shell scripting, even in core operating system components. Users are strongly advised to update their FreeBSD systems immediately to mitigate the risk of local network compromise.

The Gossip

Embedded Entanglements: The Silent Threat to Unpatched Appliances

The vulnerability sparked significant concern for embedded systems and appliances running FreeBSD. Commenters highlighted the difficulty of updating such devices, often due to a lack of user awareness about the underlying OS or the absence of an easy update path, making them particularly vulnerable to this local network RCE.

IPv6's Invisible Invasion: Local Exploitation Scenarios

The discussion quickly moved to the practical implications of the "same network segment" attack vector. While some commenters initially downplayed IPv6's prevalence, others pointed out its default enablement in many modern routers. This led to a discussion of scenarios like malicious Wi-Fi hotspots, where an attacker could easily trick vulnerable FreeBSD laptops into connecting and then sending crafted router advertisements.

Scripting's Slip-Up: Unquoted Variables in Core OS Components

At the heart of the vulnerability lies a classic shell injection flaw: `resolvconf(8)`, a shell script, failed to properly quote variables, allowing malicious input from `rtsold(8)` to be executed. This fundamental error in handling untrusted network data in a core OS component drew attention to the ongoing challenges of securing system-level scripting and even prompted humorous remarks about the